Analysis
-
max time kernel
149s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:37
Static task
static1
Behavioral task
behavioral1
Sample
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe
Resource
win10v2004-en-20220113
General
-
Target
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe
-
Size
99KB
-
MD5
44a77e815f7f7c1cd82af396fee37bdf
-
SHA1
4bd37d470949caf948da3aeecaba59f1f163d85d
-
SHA256
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51
-
SHA512
0d73166d7cc9420bee201e0d43b4d1ee48e6a5f835261a55d273d642bed29ec11534fd8ab6ab84c0fadb3cb842da68acf3c7caa3f3d5cce6903fcdd4ab64bbf2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1852 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeShutdownPrivilege 3356 svchost.exe Token: SeCreatePagefilePrivilege 3356 svchost.exe Token: SeIncBasePriorityPrivilege 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe Token: SeBackupPrivilege 3472 TiWorker.exe Token: SeRestorePrivilege 3472 TiWorker.exe Token: SeSecurityPrivilege 3472 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.execmd.exedescription pid process target process PID 1720 wrote to memory of 1852 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe MediaCenter.exe PID 1720 wrote to memory of 1852 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe MediaCenter.exe PID 1720 wrote to memory of 1852 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe MediaCenter.exe PID 1720 wrote to memory of 1672 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe cmd.exe PID 1720 wrote to memory of 1672 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe cmd.exe PID 1720 wrote to memory of 1672 1720 03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe cmd.exe PID 1672 wrote to memory of 3700 1672 cmd.exe PING.EXE PID 1672 wrote to memory of 3700 1672 cmd.exe PING.EXE PID 1672 wrote to memory of 3700 1672 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe"C:\Users\Admin\AppData\Local\Temp\03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03e9940ab91f9c111920d0737ee7482cfc75cf2570f98dbebc357c261c462f51.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
19821a4df05364dd7332ff316dbed52f
SHA10713e09347c8d4eafb2e620a6bc270ce84149cc5
SHA256004b820005c009f0eabc23a7dfc1f78c50260ba07267b21da4b2956c74b27448
SHA512e03ec9ae7fb1945072495fea63209eba9bf10186ae5cbdd887cf787e31cfcdf277b969e84ab12cd5e899caa07c936e854a02c2bfc1f0a67faf5d3c285e9f1609
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
19821a4df05364dd7332ff316dbed52f
SHA10713e09347c8d4eafb2e620a6bc270ce84149cc5
SHA256004b820005c009f0eabc23a7dfc1f78c50260ba07267b21da4b2956c74b27448
SHA512e03ec9ae7fb1945072495fea63209eba9bf10186ae5cbdd887cf787e31cfcdf277b969e84ab12cd5e899caa07c936e854a02c2bfc1f0a67faf5d3c285e9f1609
-
memory/3356-135-0x0000024B08140000-0x0000024B08150000-memory.dmpFilesize
64KB
-
memory/3356-136-0x0000024B081A0000-0x0000024B081B0000-memory.dmpFilesize
64KB
-
memory/3356-137-0x0000024B0AEC0000-0x0000024B0AEC4000-memory.dmpFilesize
16KB